Overview
Make authsome deployable as a shared server serving multiple users. Self-hostable via Docker; Authsome Inc. will also run a managed version with bundled OAuth app credentials.
Architecture decisions
- Identity: Hybrid DID — stable user identifier proven once via browser/OIDC, server issues a bearer token. Per-request
AuthService with user identity injected from bearer token. See docs/UBIQUITOUS_LANGUAGE.md.
- Storage: Per-user
LocalAppStore at /data/<user-id>/ for v1. Postgres backend deferred.
- ClientCredentials:
ProviderClientRecord moves to server scope (server:<provider>:client), shared across all users. See docs/adr/0001-provider-client-record-server-scope.md.
- Hosted proxy: Option B (local sidecar + remote daemon via
AUTHSOME_DAEMON_URL) already works. Option A (server-side mitmproxy) is deferred.
Sub-issues
Overview
Make authsome deployable as a shared server serving multiple users. Self-hostable via Docker; Authsome Inc. will also run a managed version with bundled OAuth app credentials.
Architecture decisions
AuthServicewith user identity injected from bearer token. Seedocs/UBIQUITOUS_LANGUAGE.md.LocalAppStoreat/data/<user-id>/for v1. Postgres backend deferred.ProviderClientRecordmoves to server scope (server:<provider>:client), shared across all users. Seedocs/adr/0001-provider-client-record-server-scope.md.AUTHSOME_DAEMON_URL) already works. Option A (server-side mitmproxy) is deferred.Sub-issues
LocalAppStoreper user, fixAppStore.home: PathleakProviderClientRecordserver scope: key schema change, dropprofilefieldsession.profile == requesting_identity